Politics: Small banks facing greater cyber risks urge Congress to act

To mitigate climate risks, it's time for new leadership at the FDIC

  To mitigate climate risks, it's time for new leadership at the FDIC It is time for new leadership at the FDIC that will ensure addressing climate risk is a priority. Fortunately, the other members of the FDIC's board of directors have the inherent authority to take control of the agency; they need only to demonstrate the will to do so. The other directors have inherent authority under the Board's bylaws to direct staff to begin undertaking the activities recommended by the FSOC report and more, including issuing climate supervisory guidance for banks, creating climate scenario analyses and scouring existing regulations for rules that should be updated to address climate risks.

Community banks, minority lending institutions and credit unions face greater risks of cyberattacks and damage from data breaches, a group of experts told lawmakers recently. The smaller institutions are asking Congress to plug holes in laws that exempt retailers and other entities that handle financial information for smaller banks from data security regulations.

“We must step up action to deal with cybersecurity, particularly with our community banks,” said Rep. Maxine Waters, D-Calif., who chairs the House Financial Services Committee. © Provided by Roll Call “We must step up action to deal with cybersecurity, particularly with our community banks,” said Rep. Maxine Waters, D-Calif., who chairs the House Financial Services Committee.

While large financial institutions, including Wall Street banks, have poured resources into beefing up cybersecurity, hiring in-house professionals and operating 24/7 security operations centers, smaller banks lack such resources and are dependent on third-party providers, experts told the House Financial Services Subcommittee on Consumer Protection and Financial Institutions last week.

The conundrums of cyber retaliatory norms

  The conundrums of cyber retaliatory norms Recently, my AEI colleague Shane Tews convened a group of experts to puzzle over the question: “Does the US need a national cybersecurity strategy?” The discussion was wide-ranging with deep dives into key issues; only in the last minute did the issue of international cybersecurity norms come up, leaving little time for full explication. But one panelist, James Andrew Lewis of the Center for Strategic and International Studies, did offer brief comments, arguing that it was a “false contrast” to juxtapose norms against “offensive strikes.

Since financial institutions connect with one another and a vast web of companies — including retailers, suppliers, software vendors and other companies that handle customers’ financial information — an attack on one small bank could easily spread to others, experts said.

“As a result, any realistic assessment of cyber risks to the financial system cannot simply look to the bigger banks but must assess the full range of financial institutions,” said Samir Jain, director of policy at the Center for Democracy and Technology.

Laws governing data protection should cover all the entities that handle consumer financial information, including credit rating agencies, retailers and third-party tech providers, Jain said.

Ross Butler Reignites Madelyn Cline Dating Rumors After Chase Stokes Split

  Ross Butler Reignites Madelyn Cline Dating Rumors After Chase Stokes Split Ross Butler Reignites Madelyn Cline Dating Rumors After Chase Stokes Split More to the story? Ross Butler is reigniting speculation about his relationship with Madelyn Cline after previously denying rumors that they were dating. Chase Stokes and Madelyn Cline's Relationship Timeline Read article The 13 Reasons Why star left two very telling emojis on her post — a drooling face and a hot face emoji — on photos from the Outer Banks’ star’s Hollywood Reporter photo shoot. “@hollywoodreporter NEXT GEN ,” Cline captioned two snaps on Wednesday, November 3, via Instagram.

Ransomware and other cyberattacks targeting critical infrastructure are growing worldwide, and financial institutions are particularly vulnerable. The cybersecurity firm Trend Micro recently reported that ransomware attacks on the banking industry grew 1,318 percent in the first half of 2021 compared with the first half of 2020.

“Tech companies, financial institutions and many other businesses are collecting and storing more consumer data than ever before,” Rep. Ed Perlmutter, D-Colo., chairman of the consumer protection panel, said at last week’s hearing. “Issues of cybersecurity and consumer data rights are intertwined, and this makes cybersecurity critical for all financial institutions, large and small.”

Complicated jurisdictions

Regulation and oversight of financial institutions is spread across multiple agencies, including the Federal Reserve, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation and the National Credit Union Administration, said Jeffrey Newgard, president and CEO of the Bank of Idaho.

Senators move to include 72 hour timeline for cyber incident reporting in defense bill

  Senators move to include 72 hour timeline for cyber incident reporting in defense bill A bipartisan group of senators are moving to insert a provision into the upcoming annual National Defense Authorization Act (NDAA) that would give certain critical infrastructure groups 72 hours to report major cyber incidents to the government. The amendment, announced Thursday night, would also give critical infrastructure groups, nonprofit organizations, state and local governments, and certain businesses 24 hours to report payments made to hackers due to a ransomware attack.

“Unfortunately, these disparate agencies do not adequately coordinate their data security efforts,” Newgard told lawmakers. He testified on behalf of the Independent Community Bankers of America.

Financial institutions and banks, for example, are governed by the Gramm-Leach-Bliley Act and are required to protect their customers’ data and comply with data security standards.

But retailers, tech companies and other entities that process and store financial data are not subject to standards that apply to banks, Newgard said.

“Securing data at financial institutions is of limited value if it remains exposed at the point of sale and other processing points,” Newgard said.

The rapid pace of technological change has meant that small banks are no longer able to manage their tech needs in-house. To remain competitive, they have to provide such services as mobile and internet banking but are forced to turn to so-called core processors that offer such services to multiple banks, Newgard said.

Such third-party tech providers that offer services to multiple banks could be highly vulnerable to cyberattacks, Newgard said.

Hillicon Valley: Social media giants fail to block 84 percent of antisemitic content: report | White House cyber chief backs new federal bureau to track threats

  Hillicon Valley: Social media giants fail to block 84 percent of antisemitic content: report | White House cyber chief backs new federal bureau to track threats Welcome to Hillicon Valley, The Hill's newsletter detailing all you need to know about the tech and cyber news from Capitol Hill to Silicon Valley. If you haven't already, be sure to sign up for our newsletter by clicking HERE. Welcome and Happy Monday! Follow our cyber reporter, Maggie Miller (@magmill95), and tech team, Chris Mills Rodrigo (@millsrodrigo) and Rebecca Klar (@rebeccaklar_), for more coverage. A new report published Monday found that social media platforms are failing to block the vast majority of reported antisemitic content, with Facebook and Twitter in particular showing the "poorest rate of enforcement action.

Reliant on a few firms

Small banks also are highly dependent on a handful of core processors, according to Robert James, chairman of the National Bankers Association.

“Because of this concentration, our institutions are saddled with complex, onerous, long-term contracts that stifle innovation in all areas, including security and identify verification,” said James, whose group represents minority depository institutions. “Contracts are punitive if we want to terminate, and if we do, the extraction of our data for conversion is cost prohibitive.”

Some lawmakers said they would consider legislation to address the gaps.

“We must step up action to deal with cybersecurity, particularly with our community banks,” as well as minority lending institutions that are at the “mercy of core processors,” said Rep. Maxine Waters, D-Calif., chairwoman of the House Financial Services Committee.

The committee has proposed three bills, including one that would expand the scope of the Gramm-Leach-Bliley Act’s provisions and give the Consumer Financial Protection Bureau powers to enact and enforce rules governing data aggregators and other financial institutions.

Two other proposed bills would regulate third-party vendors providing services to credit unions and clarify that CFPB has authority to supervise credit rating agencies.

Newgard said retailers and other point-of-sale operators who suffer a data breach that results in a customer’s credit or debit card being exposed don’t bear any costs for restoring a customer’s financial access.

Banks often bear the cost and burden of restoring financial services to a customer, Newgard said.

Pressed by Missouri Rep. Blaine Luetkemeyer, the top Republican on the consumer protection panel, to offer a solution, Newgard said, “The retailers … the entities that are breached need to bear the cost, so they need to be responsible for that breach.”

The post Small banks facing greater cyber risks urge Congress to act appeared first on Roll Call.

FBI left out of the loop in cyberattack reporting bill .
The Biden administration is "troubled" by legislation that would require companies to report cyberattacks to the Department of Homeland Security but not the FBI.In testimony to Congress, Bryan Vorndran, the assistant director of the FBI’s Cyber Division, said that the Biden administration is “troubled” by legislation proposed by the Senate and House homeland security committees requiring a wide range of companies to report intrusions to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency but not simultaneously to the FBI.

See also